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Header (32 bytes): 



302 



Original flow data type 1 


Number of entries j 


Router uptime (ms) \ 


Unixsecs on router 






oflg^ggiP, _ **%m??& a!, .-V 1 




Flow sequence counter 


Engine type ; 


Engine ID \ 












liper addr ( 




Entry (52 bytes): 





Source addr (in host order) 



Dest addr (in host order) 



Next hop addr (in host order) 



In interface 



Out interface 



Packets 



Bytes 



Flow start time 



Flow end time 



Source port 



Padding i TCP flags 



Source AS 



Src net len 



Dst net len 



Dest port 



IP protocol 



TOS 



Dest AS 



Padding 



Hows 



304 
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File header (16 bytes): y 402 



Magic number 



Version 
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Total file size 



Data Header (28 bytes): _ . A 04 
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Data checksum 
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Enter Parameter Value: 



506 
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Network Traffic Data Collection and Analysis 



Enter Management Command: 



512 



Show buffersize 



514 
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Network Traffic Data Collection and Analysis 
Enter Query Command: 522 

-524 



MQ hist protocol 
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Network Traffic Data Collection and Analysis 
Enter Advanced Query: 532 



Mquery { If (SourceAddr & 255.255.0.0) = ~ 534 

10.0.0.0 {Print "Found"} } 
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MQ "Keyword' 
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Pre-packaged Queries 
604 
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// Copyright (c) 2000-2001 Asta Networks. All rights reserved. 



#ifhdef MARIO_QUERIES_HH_ 

#defme _MARIO_QUERIES_HH_ 

enum Query Versions 
{ 

MARIOMAJORQUERYVERSION =4, 
MARIOMINORQUERYVERSION = 2, 

MARIOQUERYVERSION = ((MARIOMAJORQUERYVERSION 
« 4) + MARIO_MINOR_QUERY_VERSION) 

}; 

enum Commands 

{ 

CMD_PRINT_SYSTEMVALUE 
CMDPRINTNUMBER 
CMDPRINTSTRING 
CMD_PRINT_NEWLINE 
CMD_PRINT_HIST 
CMDPRINTHISTKEYS 
CMDSETVAR 

CMDIF = 8, 

CMD_IF_ELSE = 9, 

WITH_FIRST_PACKET = 10, 
WITH_LAST_PACKET =11, 

FOR_EACH_PACKET = 12, 
FOREACHFLOW = 13, 

CMD_DEF_HIST = 14, 

CMDADDTOHIST = 15, 

Figure 10a 



= 1, 
= 2, 

= 3, 
= 4, 
= 5, 
= 6, 
= 7, 



CMDJNCRVAR 


= 17, 




/"iTV/TT* T"MT" , 'D \7AT? 13 V 

CMJJ_1JNL-K_V AK_r> i 


— 1 8 

— 15, 




CMD INCR LVAR 


= 19, 




CMD INCR LVAR BY 


= 20, 




CMDPRTNTLVAR 


= 21, 




CMD DEF ARRAY 




= 22, 


CMD ADD TO ARRAY 




= 23, 


CMD PRINT ARRAY 




= 24, 


CMD PRINT ARRAY BY 


_PKT : 


= 25, 



CMD_PRTNT_ARRAY_BY_FLOW= 26 

}; 

enum NumericValues 

{ 

CONSTANTBYTEVALUE = 0x80, 
CONSTANT_INT_VALUE =0x81, 
HEADER_VALUE = 0x82, 
FLOW_VALUE = 0x83, 
SYSTEMVALUE =0x84, 
VARVALUE =0x85, 
TCPFLAGS_VALUE = 0x86 

}; 



enum HeaderValues 
{ 

HV_ORIGTYPE =0, // Original flow data type 

HV_COUNT = 1 , //The number of records 

HV ROUTERUPTIME = 2, // Time in millisecs since router booted 

HV_ROUTERSECS = 3, // Seconds since 0000 UTC 1970 on router 

HV_SENSORSECS = 4, // Seconds since 0000 UTC 1970 on sensor 

HV SEQNUM =5, // Seq counter of total flows seen 

HV_ENGINETYPE = 6, // Type of interface generating the flows 

HV_ENGINEID = 7, // ID of interface generating the flows 

HV_ROUTERMSECS =8, // Unix millisecs on router 

HV AGGMETHOD = 9, // Aggregation method (for NetFlow v8+) 
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HVAGG VERSION = 10, // Aggregation version (for NetFlow v8+) 
HVSAMPINTERVAL = 11,// Sampling interval 
HVSENDERADDR =12 //IP address where this data came from 

}; 

enum FlowValues 
{ 

FV SRCADDR = 0, // IP address of source 
FVDSTADDR = 1 , //IP address of destination 
FV_NEXTHOP = 2, // IP address of next-hop router 
FV_IN_IF =3, // ID of incoming interface 
FV_OUT_IF = 4, //ID of outgoing interface 
FV_NUMPKTS =5, // Number of packets in the flow 
FV NUMBYTES = 6, // Number of bytes in the flow 
FV_FIRST = 7, // On routerUptime scale, when flow started 
FV_LAST =8, //On routerUptime scale, when flow ended 
FV_SRCPORT = 9, // Layer 4 source port 
FV_DSTPORT =10, // Layer 4 destination port 
FV_PAD8 =11, //UNUSED 

FVTCPFLAGS = 12, //Or of all flags seen in flow, or ACK 

FVJPROTOCOL = 13, // Layer 3 protocol 

FV_TOS =14, //Type of service 

FV_SRC_AS =15, // Source autonomous system 

FV DST AS =16, // Destination autonomous system 

FV SRC MASK =17, // Number of valid src addr bits for netmask 

FV_DST_MASK =18, // Number of valid dst addr bits for netmask 

FV_PAD16 =19, //UNUSED 

FV FLOWS = 20 // Number of flows (when aggregated) 

}; 

enum Operators 

{ 

OP_LGC_NOT = OxcO, 

OP_LGC_AND =0xcl, 

OP LGC OR =0xc2, 
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OP BIT NOT 


= 0xc3, 


OP BIT AND 


= 0xc4, 


OP BIT OR 


= 0xc5, 


OP_BIT_XOR 


= 0xc6, 


An T7/"\ 

Or hKl 


Uxc/, 


OP NE 


= 0xc8, 


OP GT 


= 0xc9, 


OP GE 


= Oxca, 


OP LT 


= Oxcb, 


OP_LE 


= Oxcc, 


OP ADD 


= Oxcd, 


OP SUB 


= Oxce, 


OP MUL 


= Oxcf, 


OP DIV 


= OxdO, 


OP MOD 


= 0xdl, 


OP TRN 


= 0xd2, 



OP_LVAR_MUL_DIV - 0xd3, 
OP_MUL_DIV_32 = 0xd4 

}; 



enum PrintTypes 

{ 

PT_UINT = 0, 
PTINT = 1, 

PTIPADDR =2, 
PT_8BITS = 3, 
PT_HEX =4, 
PT_PROTOCOL= 5, 
PTTCPFL AGS = 6, 
PT_TM_MSECS= 7, 
PT_TM_SECS =8, 
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PT_CUINT = 9, 
PT_CINT = 10, 
PTHEXBYTE = 11, 
PT_HEXWORD= 12, 
PT_BOOL = 13, 
PT_SAMPINT = 14, 
PTHEXDWORD = PT_HEX 

}; 

enum HistogramValueTypes 
{ 

HIST_SUM =0x71, 
HIST_OR = 0x72, 
HIST_MAX = 0x73, 
HIST_MIN = 0x74, 
HIST_FIRST = 0x75, 
HIST_LAST = 0x76, 
HIST_UNIQUE=0x77 

}; 

enum SystemValues 
{ 

SYSVAL_VERSION_STRING = 0, 
SYS VAL_CURRENT_TIME = 1 , 
SYSVAL_DATA_PRESENT = 2 

}; 

#endif // _MARIO_QUERIES_HH_ 
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